Skip to content
/ MSP-Attacks Public

A comprehensive repository of research papers and resources on adversarial attacks targeting autonomous driving perception systems, focusing on single-sensor vulnerabilities and multi-sensor fusion exploitation.

License

MIT license
11 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Lyon2020/MSP-Attacks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
assets
assets
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

🚗 A Survey on Adversarial Attacks on Autonomous Vehicles: A Multi-Sensor Perspective

📌 Overview

MSP-Attacks is a curated repository of research papers on adversarial attacks targeting autonomous driving perception systems. This project focuses on vulnerabilities across single-sensor modalities and multi-sensor fusion frameworks, aiming to provide the community with a structured reference for understanding, comparing, and tracking the latest research trends.

🎯 Research Scope

Vehicle Sensor Silhouette Diagram
Figure 1 visualizes the overarching framework of this survey, mapping the scope of multi-modal adversarial research onto the spatial configuration of Camera, LiDAR, Radar, and GPS sensors.

🚀 Table of Contents

Methods: A Survey

Adversarial Attacks on Camera

Adversarial Attacks on 2D Tasks——Classification and Detection

Year Venue Paper Title Link
2025 ICCV Towards Powerful and Practical Patch Attacks for 2D Object Detection in Autonomous Driving -
2025 ICCV Adversarial Attention Perturbations for Large Object Detection Transformers Code
2024 NeurIPS Revisiting Adversarial Patches for Designing Camera-Agnostic Attacks against Person Detection Code
2024 IJCV Infrared Adversarial Patches with Learnable Shapes and Locations in the Physical World Code
2024 T-IFS Stealthy and Effective Physical Adversarial Attacks in Autonomous Driving Project Page
2024 T-PAMI Unified Adversarial Patch for Visible-Infrared Cross-Modal Attacks in the Physical World Code
2024 T-ITS CARLA-GEAR: ADataset Generator for a Systematic Evaluation of Adversarial Robustness of Vision Models Code
2024 Neural Networks Adversarial Infrared Curves: An Attack on Infrared Pedestrian Detectors in the Physical World -
2024 Neural Networks Adversarial infrared blocks: A mul...black-box attack to thermal infrared detectors in physical world Code
2024 NDSS Invisible Reflections: Leveraging Infrared Laser Reflections to Target Traffic Sign Perception Project Page
2024 JIOT OptiCloak: Blinding Vision-Based Autonomous Driving Systems Through Adversarial Optical Projection -
2023 IV Adversarial Driving: Attacking End-to-End Autonomous Driving Code
2023 Computers & Security Light can be Dangerous: Steal...y and Effective Physical-world Adversarial Attack by Spot Light -
2023 AAAI HOTCOLD Block: Fooling Thermal Infrared Detectors with a Novel Wearable Design Code / Project Page
2023 ICCV Unified Adversarial Patch for Cross-modal Attacks in the Physical World Code
2023 ICCV REAP: ALarge-Scale Realistic Adversarial Patch Benchmark Code
2023 ICCV Does Physical Adversarial Example Really Matter...Towards System-Level Effect of Adversarial Object Evasion Attack Project Page
2023 CVPR Physically Adversarial Infrared Patches with Learnable Shapes and Locations -
2023 PMLR Adversarial Laser Spot: Robust and Covert Physical-World Attack to DNNs Code
2023 USENIX TPatch: A Triggered Physical Adversarial Patch Code
2022 NDSS Fooling the Eyes of Autonomous Vehicles: Robust...al Adversarial Examples Against Traffic Sign Recognition Systems Project Page
2022 CVPR Give me your attention: Dot-product attention considered harmful for adversarial patch robustness -
2022 T-PAMI Adversarial Stickers: A Stealthy Attack Method in the Physical World Code
2022 CVPR Shadows can be Dangerous: Stealthy and Effective Physical-world Adversarial Attack by Natural Phenomenon Code
2021 CVPR Adversarial Laser Beam: Effective Physical-World Attack to DNNs in a Blink Code
2021 IEEE SP Poltergeist: Acoustic Adversarial Machine Learning against Cameras and Computer Vision Code
2021 USENIX SLAP: Improving Physical Adversarial Examples with Short-Lived Adversarial Perturbations Code
2021 JIOT Adaptive Square Attack: Fooling Autonomous Cars With Adversarial Traffic Signs Code
2021 AAAI Fooling Thermal Infrared Pedestrian Detectors in Real World Using Small Bulbs -
2021 ICCV Naturalistic Physical Adversarial Patch for Object Detectors Code
2021 CVPR The Translucent Patch: A Physical and Universal Attack on Object Detectors -
2020 arXiv Dynamic Adversarial Patch for Evading Object Detection Models -
2020 CVPR PhysGAN: Generating Physical-World-Resilient Adversarial Examples for Autonomous Driving Code
2020 CVPR Adversarial Camouflage: Hiding Physical-World Attacks with Natural Styles Code
2020 ICLR FOOLING DETECTION ALONE IS NOT ENOUGH: ADVERSARIAL ATTACK AGAINST MULTIPLE OBJECT TRACKING Code
2020 TPS-ISA Adversarial Objectness Gradient Attacks in Real-time Object Detection Systems Code
2019 CCS Seeing isn’t Believing: Towards More Robust Adversarial Attack Against Real World Object Detectors Project Page
2019 JSA Attacking Vision-based Perception in End-to-End Autonomous Driving Models Code
2019 AAAI Perceptual-sensitive gan for generating adversarial patches -
2019 PMLR Adversarial camera stickers: A physical camera-based attack on deep learning systems Code
2018 CVPR Robust Physical-World Attacks on Deep Learning Visual Classification Code
2017 CVPR NO Need to Worry about Adversarial Examples in Object Detection in Autonomous Vehicles -

Adversarial Attacks on 2D Tasks——Semantic Segmentation

Year Venue Paper Title Link
2025 T-M Black-Box Targeted Adversarial Attack on Segment Anything (SAM) -
2025 IEEE RAL Semantic Hierarchy-Guided Adversarial Attack for Autonomous Driving -
2025 IEEE SPW Do Adversarial Patches Generalize? Attack Transferability Study Across Real-time Segmentation Models in Autonomous Vehicles Code
2025 AAAI Robust SAM: On the Adversarial Robustness of Vision Foundation Models -
2024 TNNLS On the Real-World Adversarial Robustness of Real-Time Semantic Segmentation Models for Autonomous Driving Code
2024 WACV Uncertainty-weighted Loss Functions for Improved Adversarial Attacks on Semantic Segmentation Code
2024 CVPR Practical Region-level Attack against Segment Anything Models -
2024 ACM MM Cascaded Adversarial Attack: Simultaneously Fooling Rain Removal and Semantic Segmentation Networks -
2024 Pattern Recognition Time-aware and Task-transferable Adversarial Attack for Perception of Autonomous Vehicles -
2024 ECCV Towards Reliable Evaluation and Fast Training of Robust Semantic Segmentation Models Code
2023 ACM MM PAIF: Perception-Aware Infrared-Visible Image Fusion for Attack-Tolerant Semantic Segmentation Code
2023 T-CSVT Adversarial Attacks on Video Object Segmentation With Hard Region Discovery -
2023 TNNLS On the Real-World Adversarial Robustness of Real-Time Semantic Segmentation Models for Autonomous Driving Code
2023 CVPR Proximal Splitting Adversarial Attack for Semantic Segmentation Code
2022 ECCV SegPGD: An Effective and Efficient Adversarial Attack for Evaluating and Boosting Segmentation Robustness Code
2022 WACV Evaluating the Robustness of Semantic Segmentation for Autonomous Driving against Real-World Adversarial Patch Attacks Code
2022 WACV Semantically Stealthy Adversarial Attacks against Segmentation Models -
2022 Computers & Security Adversarial Attacks on YOLACT Instance Segmentation -
2021 T-II Adversarial Attack Against Urban Scene Segmentation for Autonomous Vehicles -
2020 RAL Deceiving Image-to-Image Translation Networks for Autonomous Driving With Adversarial Perturbations -
2018 ECCV Characterizing Adversarial Examples Based on Spatial Consistency Information for Semantic Segmentation -
2018 CVPR On the Robustness of Semantic Segmentation Models to Adversarial Attacks Code
2018 CVPR On the Robustness of Semantic Segmentation Models to Adversarial Attacks (Extended Version) Code
2017 ICCV Universal Adversarial Perturbations Against Semantic Image Segmentation -

Adversarial Attacks on 2D Tasks——Lane Detection

Year Venue Paper Title Link
2024 arXiv Discovering New Shadow Patterns for Black-Box Attacks on Lane Detection of Autonomous Vehicles Code
2022 MM Physical Backdoor Attacks to Lane Detection Systems in Autonomous Driving Code
2021 USENIX Dirty Road Can Attack: Security of Deep Learning based Automated Lane Centering under Physical-World Attack Code / Project Page
2021 USENIX Too Good to Be Safe: Tricking Lane Detection in Autonomous Driving with Crafted Perturbations Code / Project Page

Adversarial Attacks on 3D Tasks——Classification and Detection

Year Venue Paper Title Link
2025 T-CSVT A Unified Framework for Adversarial Patch Attacks Against Visual 3D Object Detection in Autonomous Driving -
2025 T-IP Physically Realizable Adversarial Creating Attack Against Vision-Based BEV Space 3D Object Detection -
2025 T-DSC Toward Robust and Accurate Adversarial Camouflage Generation against Vehicle Detectors Code
2025 ICCV 3D Gaussian Splatting Driven Multi-View Robust Physical Adversarial Camouflage Generation Code
2024 NeurIPS CNCA: Toward Customizable and Natural Generation of Adversarial Camouflage for Vehicle Detectors Code
2024 arXiv Adv3D: Generating 3D Adversarial Examples for 3D Object Detection in Driving Scenarios with NeRF Code
2024 IROS Adv3D: Generating 3D Adversarial Examples for 3D Object Detection in Driving Scenarios with NeRF Code
2024 CVPR Towards Transferable Targeted 3D Adversarial Attack in the Physical World Code
2024 CVPR Infrared Adversarial Car Stickers -
2024 TMLR On the Adversarial Robustness of Camera-based 3D Object Detection Code
2024 ICML RAUCA: A Novel Physical Adversarial Attack on Vehicle Detectors via Robust and Accurate Camouflage Generation Code
2024 IJCV Generate Transferable Adversarial Physical Camouflages via Triplet Attention Suppression -
2023 ICCV ACTIVE: Towards Highly Transferable 3D Physical Camouflage for Universal and Robust Vehicle Evasion Project Page
2023 CVPR Understanding the Robustness of 3D Object Detection with Bird’s-Eye-View Representations in Autonomous Driving Code
2023 CVPR Towards Benchmarking and Assessing Visual Naturalness of Physical World Adversarial Attacks Code
2023 Pattern Recognition Boosting Transferability of Physical Attack Against Detectors by Redistributing Separable Attention Code
2022 AAAI FCA: Learning a 3D Full-coverage Vehicle Camouflage for Multi-view Physical Adversarial Attack Code
2022 CVPR DTA: Physical Camouflage Attacks using Differentiable Transformation Network Project Page
2022 IJCAI Learning Coated Adversarial Camouflages for Object Detectors -
2021 CVPR Dual Attention Suppression Attack: Generate Adversarial Camouflage in Physical World Code
2021 JIOT Evaluating Adversarial Attacks on Driving Safety in Vision-Based Autonomous Vehicles -
2020 CVPR Universal Physical Camouflage Attacks on Object Detectors Code
2020 arXiv Physical Adversarial Attack on Vehicle Detector in the Carla Simulator -
2019 ICLR CAMOU: LEARNING A VEHICLE CAMOUFLAGE FOR PHYSICAL ADVERSARIAL ATTACK ON OBJECT DETECTORS IN THE WILD Code
2018 ICML Synthesizing Robust Adversarial Examples -

Adversarial Attacks on 3D Tasks——Depth Estimation

Year Venue Paper Title Link
2024 CVPR Physical 3D Adversarial Attacks against Monocular Depth Estimation in Autonomous Driving Code
2024 T-PAMI Self-supervised Adversarial Training of Monocular Depth Estimation against Physical-World Attacks Code
2024 ICML BadPart: Unified Black-box Adversarial Patch Attacks against Pixel-wise Regression Tasks Code
2024 USENIX π-Jack: Physical-World Adversarial Attack on Monocular Depth Estimation with Perspective Hijacking Code
2024 NeurIPS Beware of Road Markings: A New Adversarial Patch Attack to Monocular Depth Estimation Code
2024 IEEE Sensors Physical Adversarial Attack on Monocular Depth Estimation via Shape-Varying Patches -
2024 IROS SSAP: A Shape-Sensitive Adversarial Patch for Comprehensive Disruption of Monocular Depth Estimation in Autonomous Navigation Applications Code
2024 ACM ICM DepthCloak: Projecting Optical Camouflage Patches for Erroneous Monocular Depth Estimation of Vehicles -
2023 ICLR Adversarial Training of Self-supervised Monocular Depth Estimation against Physical-World Attacks Code
2022 ECCV Physical Attack on Monocular Depth Estimation with Optimal Adversarial Patches Code
2022 IROS Adversarial Attacks on Monocular Pose Estimation Code
2020 NeurIPS Targeted Adversarial Perturbations for Monocular Depth Prediction -
2020 arXiv Adversarial Attacks on Monocular Depth Estimation -

Adversarial Attacks on LiDAR

Adversarial Attacks on LiDAR——Classification and Detection

Year Venue Paper Title Link
2025 NDSS On the Realism of LiDAR Spoofing Attacks against Autonomous Driving Vehicle at High Speed and Long Distance Project Page
2024 NDSS LiDAR Spoofing Meets the New-Gen: Capability Improvements, Broken Assumptions, and New Attack Strategies Project Page
2024 NDSS Automated Tracking System for LiDAR Spoofing Attacks on Moving Targets Project Page
2024 CVPR Hide in Thicket: Generating Imperceptible and Rational Adversarial Perturbations on 3D Point Clouds Code
2024 T-ITS Sr-adv: Salient Region Adversarial Attacks on 3D Point Clouds for Autonomous Driving -
2023 CVPR SlowLiDAR: Increasing the Latency of LiDAR-Based Detection Using Adversarial Examples Code
2023 T-GRS EVAA—Exchange Vanishing Adversarial Attack on LiDAR Point Clouds in Autonomous Vehicles -
2023 SP PLA-LiDAR: Physical Laser Attacks against LiDAR-based 3D Object Detection in Autonomous Vehicle Project Page
2023 USENIX You Can’t See Me: Physical Removal Attacks on LiDAR-based Autonomous Vehicles Driving Frameworks Project Page
2023 WACV Explainability-aware One Point Attack for Point Cloud Neural Networks Code
2022 AUTOSEC Generating 3D Adversarial Point Clouds under the Principle of LiDARs -
2021 ICCV Fooling LiDAR Perception via Adversarial Trajectory Perturbation Code
2021 CCS Robust Roadside Physical Adversarial Attack Against Deep Learning in LiDAR Perception Modules Project Page
2021 Neurocomputing Adversarial Point Cloud Perturbations Against 3D Object Detection in Autonomous Driving Systems -
2021 CCS Can We Use Arbitrary Objects to Attack LiDAR Perception in Autonomous Driving? -
2020 USENIX Towards Robust LiDAR-based Perception in Autonomous Driving: General Black-box Adversarial Sensor Attack and Countermeasures Project Page
2020 ECCV Adversarial Shape Perturbations on 3D Point Clouds Code
2020 ECCV AdvPC: Transferable Adversarial Perturbations on 3D Point Clouds Code
2020 CVPR Physically Realizable Adversarial Examples for LiDAR Object Detection -
2019 ACM CCS Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving Project Page
2019 CVPR Generating 3D Adversarial Point Clouds Code
2019 CVPR Robustness of 3D Deep Learning in an Adversarial Setting Code
2019 arXiv Adversarial Objects Against LiDAR-Based Autonomous Driving Systems Project Page
Adversarial Attacks on LiDAR——Semantic Segmentation
Year Venue Paper Title Link
2025 CVPR Explaining 3D Point Cloud Semantic Segmentation Models Through Adversarial Attacks Code
2025 IEEE RA-L Robust Unsupervised Domain Adaptation for 3D Point Cloud Segmentation Under Source Adversarial Attacks -
2023 DSN On Adversarial Robustness of Point Cloud Semantic Segmentation Code
2023 CVPR Open-set Semantic Segmentation for Point Clouds via Adversarial Prototype Framework -
2021 SenSys Adversarial Attacks Against LiDAR Semantic Segmentation in Autonomous Driving -

Adversarial Attacks on Radar

Year Venue Paper Title Link
2025 MobiSys Toward Spoofing-Resilient and Communication-Integrated MmWave Radar Sensing -
2025 IV Deep Sensor Fusion for Detection and Localization of Automotive Radar Spoofing Attacks -
2025 EEE Communications Surveys & Tutorials A Survey of mmWave Radar-Based Sensing in Autonomous Vehicles, Smart Homes and Industry -
2025 RadarConf25 Adversarial Attack on Automotive Radar Point Cloud Classifiers -
2023 CCS TileMask: A Passive-Reflection-based Attack against mmWave Radar Object Detection in Autonomous Driving -
2023 IEEE SP mmspoof: Resilient Spoofing of Automotive Millimeterwave Radars Using Reflect Array Code
2023 arXiv Madradar: A Black-box Physical Layer Attack Framework on mmWave Automotive FMCW Radars Project Page
2022 ITSM Comparative Analysis of Radar and LiDAR Technologies for Automotive Applications -
2022 arXiv Adversarial Attack on Radar-based Environment Perception Systems -
2021 T-IFS Who Is in Control? Practical Physical Layer Attack and Defense for mmWave-Based Sensing in Autonomous Vehicles Code
2021 JCE Low-cost Distance-spoofing Attack on FMCW Radar and Its Feasibility Study on Countermeasure -
2021 ASHES Spoofing Attacks Against Vehicular FMCW Radar -
2020 Information Sciences Adversarial Attacks on Deep-learning-based Radar Range Profile Target Recognition -
2020 IEEE SPM Toward Robust Sensing for Autonomous Vehicles: An Adversarial Perspective -

Adversarial Attacks on GPS

Year Venue Paper Title Link
2025 IoTJ GPS Attack Detection and Defense for Secure Localization of Automated Vehicles Based on Vehicle-to-Vehicle Technology -
2025 ojvt Detection of Multiple Small Biased GPS Spoofing Attacks on Autonomous Vehicles Using Time Series Analysis -
2025 arXiv GPS Spoofing Attack Detection in Autonomous Vehicles Using Adaptive DBSCAN -
2025 T-PS Safe Driving Adversarial Trajectory Can Mislead: Toward More Stealthy Adversarial Attack Against Autonomous Driving Prediction Module -
2025 IEEE Detection of multiple small biased GPS spoofing attacks on autonomous vehicles -
2024 T-VT Robust Indoor Positioning of Automated Guided Vehicles in Internet of Things Networks With Deep Convolution Neural Network Considering Adversarial Attacks -
2024 T-VT Anomaly Detection and Secure Position Estimation Against GPS Spoofing Attack: A Security-Critical Study of Localization in Autonomous Driving -
2024 IEEE GPS Spoofing Detection on Autonomous Vehicles with XGBoost -
2023 T-ITS Anomaly Detection Against GPS Spoofing Attacks on Connected and Autonomous Vehicles Using Learning From Demonstration -
2023 T-ITS Infrastructure-Enabled GPS Spoofing Detection and Correction -
2023 IEEE A machine learning approach for detecting gps location spoofing attacks in autonomous vehicles -
2023 IEEE Securing Autonomous Vehicles Against GPS Spoofing Attacks: A Deep Learning Approach -
2021 T-M Covert Attacks Through Adversarial Learning: Study of Lane Keeping Attacks on the Safety of Autonomous Vehicles -
2021 IEEE GPS location spoofing attack detection for enhancing the security of autonomous vehicles -
2020 T-VT Localizing Spoofing Attacks on Vehicular GPS Using Vehicle-to-Vehicle Communications -
2019 SP Security of GPS/INS Based On-road Location Tracking Systems -
2019 IEEE Security of GPS/INS based on-road location tracking systems -
2018 USENIX All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems -
2018 USENIX All your ${GPS}$ are belong to us: Towards stealthy manipulation of road navigation systems -

Adversarial Attacks on Multi-Modal Fusion

Year Venue Paper Title Link
2025 CVPRW Probing Vulnerabilities of Vision-LiDAR Based Autonomous Driving Systems -
2024 MobiCom Malicious Attacks against Multi-Sensor Fusion in Autonomous Driving -
2024 ICLR FUSION IS NOT ENOUGH: SINGLE MODAL ATTACKS ON FUSION MODELS FOR 3D OBJECT DETECTION Code / Project Page
2024 IEEE TR UniAda: Universal Adaptive Multiobjective Adversarial Attack for End-to-End Autonomous Driving Systems Code
2023 arXiv Uncertainty-Encoded Multi-Modal Fusion for Robust Object Detection in Autonomous Driving -
2022 NeurIPS SafeBench: A Benchmarking Platform for Safety Evaluation of Autonomous Vehicles Code / Project Page
2022 USENIX Security Analysis of Camera-LiDAR Fusion Against Black-Box Attacks on Autonomous Vehicles -
2021 IEEE S&P Invisible for both Camera and LiDAR: Security of Multi-Sensor Fusion based Perception in Autonomous Driving Under Physical-World Attacks Code / Project Page
2021 T-DSC “Seeing is Not Always Believing”: Detecting Perception Error Attacks Against Autonomous Vehicles -
2021 CoRL Exploring Adversarial Robustness of Multi-sensor Perception Systems in Self Driving -
2021 IROS Adversarial Attacks on Camera-LiDAR Models for 3D Car Detection -
2021 T-VT Multi-Source Adversarial Sample Attack on Autonomous Vehicles -
2021 IJIS Camdar-adv: Generating adversarial patches on 3D object -
2020 USENIX Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing Project Page

About

A comprehensive repository of research papers and resources on adversarial attacks targeting autonomous driving perception systems, focusing on single-sensor vulnerabilities and multi-sensor fusion exploitation.

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published